Analysis of Korean War Anniversary Cyber Attack and Malware

In both North Korea and South Korea, several websites were defaced and brought down via a DDoS attack on the anniversary of the start of the Korean War.

The Red Alert (R3d4l3rt) team in South Korea have provided an in depth analysis of the vulnerabilities and methods used to access and deface government websites and access personal information, as well as malware used to target DNS servers in a DDoS attack.

At around 9:10AM on June 25th, the Blue House ( equivalent to the U.S.’s White House) and key government agency websites were the target of attacks. These attacks included website defacement, distributed denial of service (DDoS) attacks and compromise of personal data for some government personnel, including the U.S. Army’s 3rd Marine, 25th Infantry, and 1st Cavalry Divisions. As a result the South Korean government raised their cyber-alert level to its third highest and most of the websites had recovered and were back up by the end of the day.

Vulnerability Exploit & Site Defacement

Shortly after the attack a video appeared on YouTube showing the hack of the Blue House website process, which has since removed by YouTube. The Blue House website hosted on a Solars 10 Sparc system appears to have been compromised by taking advantage of a Websphere Application Server (WAS) vulnerability, as well as a file upload/download vulnerability in a bulletin board.

The attack in the video utilized the “w3b_avtix” toolkit to gain access to deface the website as well as escalate privileges to access data. The list of other defaced websites are assumed to have also been compromised through server vulnerabilities, many of which are known, but the systems targeted were unpatched. Here is a list of sites the Red Alert team have reported listed as compromised.

Org

Website

The Blue House

www.president.go.kr

The Office for Government Policy Coordination

pmo.go.kr/pmo_web/main

The Ministry of National Defense

www.mnd.go.kr

The NIS

www.nis.go.kr

Chosun Ilbo

www.chosun.com

Daegu Ilbo

www.idaegu.com

Maeil Shinmun

www.imaeil.com

Korea Press Foundation

www.kpf.or.kr/index.jsp

eToday

www.etoday.co.kr

Saenuri Party Seoul

seoul.saenuriparty.kr

Saenuri Party Gyeonggi-do

www.visiongg.com

Saenuri Party Incheon

www.hannaraincheon.or.kr

Saenuri Party Busan

busan.saenuriparty.kr

Saenuri Party Ulsan

ulsan.saenuriparty.kr

Saenuri Party Gyeongnam

gyeongnam.saenuriparty.kr

Saenuri Party Jeju

jeju.saenuriparty.kr

Saenuri Party Gyeongsangbuk-do

www.gbsaenuri.kr

Saenuri Party Gangwon

www.hangangwon.org/

DDoS Attack Against DNS Server

In addition to the site defacement a distributed denial of service attack targeted two DNS servers:

ns.gcc.go.kr [152.99.1.10]

ns2.gcc.go.kr [152.99.200.6]

The connections came from domestic systems that were compromised by malware that was spread , scheduled to initiate DNS queries at a rapid rate with fairly large query size (1,500 bytes) to increase the load on the server. Looking at the packets of the attack showing the DNS queries it shows randomized subdomain requests:

Image Credit: Red Alert Team

The malware that initiates the attack on unknowing users’ systems is:

Filename

MD5

wuauieop.exe

F60935E852D0C7BCFFAA54DDA15D009A

The malcious file was dropped and executed on compromised systems on June 25 at 10AM. From samples the Red Alert team has determined that the malware was created on 6/24/2013.

Once the malware is unpacked it creates a UDP socket and sets the IP address and port of the target Domain Name Server (DNS). Two threads are created on the system to loop through the task. The malware generates a random string and prepends it as a subdomain to “gcc.go.kr”.

Domain Creation – Image Credit: Red Alert Team

The malware then creates a packet using the sendto function. The malware then reset the connection properties and starts the process all over ad infinitum.